(B) Is the device still open?

If the system is still up and the device is currently opened (unlocked), root can use the master key to add a new key

(RHEL 5 caveat: root can extract the master key to a file; however, cryptsetup in RHEL 5 doesn't support reading the master key to add a new key. Instead, the disk itself will need to be closed and moved to a RHEL 6 or RHEL 7 machine [along with the master key file].)

Check for open crypt devices
This command will only show open maps to LUKS-encrypted devices

The first column is the map filename (<MAP>) without the /dev/mapper/ prefix
If no output is seen, go to (C)

Find desired open map in above output and make note of its name (<MAP>)
If system has only ever had one LUKS device, go to next step
If there are [or should be] multiple LUKS devices on system, use lsblk, findmnt, df, mount, or /etc/fstab to determine the right device

(C) None of that helped!

The whole point of encryption is to protect data. If there are no known keys and the device is not unlocked, the data is as good as gone.

Barring future discoveries of cryptographic weaknesses in the current LUKS/dm-crypt implementation and barring availability of advanced quantum computers, the only option likely within the realm of possibility is a brute-force dictionary attack, i.e., password-guessing.

The feasibility of a dictionary attack depends entirely on the mind that created the key(s), since LUKS allows enormous (512 characters in RHEL 7) plaintext passphrases, not to mention insanely large (8 MiB in RHEL 7) keyfiles [which can contain newlines or even arbitrary binary data].

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

It's actually not a typo. dmsetup uses standard forgiving gnu-style cmdline opt parsing -- it lets you use --showkey (or --showkeys) before or after the map-name. You also don't need to specify the /dev/mapper part.

Formatting Tips

Request Japanese Translation

Are you sure you want to update a translation?
It seems an existing Japanese Translation exists already.
We appreciate your interest in having Red Hat content localized to your language. Please note that excessive use of this feature could cause delays in getting specific content you are interested in translated.

Generating Machine Translation

Loading…

We are generating a machine translation for this content. Depending on the length of the content, this process could take a while.